[Emerging-Sigs] Kuriyama Loader
tgreen at emergingthreats.net
Fri Jan 26 06:37:09 HST 2018
Thanks! We'll get this in QA for today's release.
On Thu, Jan 25, 2018 at 3:18 AM, Attack Detection <
attackdetectionteam at gmail.com> wrote:
> Hi, Kuriyama bot here.
> Translation of the description from the seller's website:
> Kuriyama is a multifunctional experimental loader that uses the Telegraph
> as a control panel. The idea of creating a similar I picked up in botnets,
> focusing on youtube, twitter, etc. When using a telegraph, you do not need
> to bother with anonymity, setting up the VPN, hosting, domains and other
> slag. The post of the telegraph will be tied to your hardware and you will
> not be able to reconnect the build without agreement with me.
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "ET TROJAN
> [PTsecurity] Kuriyama Loader Checkin";flow: established, to_server;
> content: "?hwid="; http_uri; content: "&group="; http_uri; fast_pattern;
> content: "&os="; http_uri; content: "&cpu="; http_uri; content: "GET";
> http_method; content:!"Referer|3a|"; http_header;
> metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit,
> attack_target Client_Endpoint, deployment Perimeter, signature_severity
> Major, created_at 2018_01_25, malware_family botnet, malware_family
> loaders, performance_impact Moderate, updated_at 2018_01_25; classtype:
> trojan-activity; metadata: id_462921,created_at 2018_1_25; sid: 10002482;
> rev: 1;)
> Page(ru) https://darkwebs.ws/threads/41806/
> Pcap: https://www.dropbox.com/sh/78kmpbf29yrdpbq/
> VT: https://www.virustotal.com/en/file/2cb01f61d24400c4a868e4a836019f
> HA: https://www.hybrid-analysis.com/sample/2cb01f61d24400c4a868e4a836019f
> Best regards, John.
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> Support Emerging Threats! Subscribe to Emerging Threats Pro
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Emerging-sigs